I am an evil giraffe. Who no longer blogs about politics.

This… is not an issue of too many people making the site crash. Heritage:

Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.

[snip]

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with downloadable letters about eligibility — for two people in South Carolina.

This is an issue of the site simply not being secure at all. Heritage reported that the information provided was sufficiently detailed that Mr. Hadley was able to get in touch with the other person, who is naturally highly upset that his information is being treated this cavalierly by the federal government. As well as the man should be; health care records are peculiarly vulnerable to all sorts of fraud, scams, and confidence schemes. We have an expectation of privacy for those, and certainly nobody who signed up did so with the expectation that their data would become, effectively, a matter of public record.

Exactly who thought that making the Obamacare site go live so soon was a good idea? – Because that person was wrong. So very, very wrong.

Blue Cross Blue Shield of North Carolina informed Hadley that his current plan is no longer available and offered to auto-enroll him in a new health insurance plan. But that option would increase his monthly premiums by 92 percent and double his deductible. Hadley said he doesn’t qualify for any subsidies and won’t continue the process on HealthCare.gov because of the privacy breach.

“If I have their information, then who else has my information now?” Hadley worried.

For the record: there are elements among the Online Left that seem to think that the best way to handle being confronted with someone who has just had his premiums and deductible doubled is to condescendingly tell that person that it’s all for his own good, because clearly he wasn’t smart enough to have a good plan in the first place. Speaking as a Republican and a propagandist, let me just say: I love it when my opposite numbers let their essential contempt for the American people show. It makes my job infinitely easier; heck, it makes my job a moral obligation.

Maybe.
It covers government programs that directly pay for medical care.
But it’s a lot fuzzier as to whether or not it covers the government-run exchanges. HIPAA nominally covers Health Care Clearinghouses, but there’s a good bit of wiggle room. This is mainly because the trigger is processing health information received in a nonstandard format into a standard format. (Or vice versa.) Filling out a government form is arguably a standard format, so it can (and will be) argued that the exchanges are not covered under the law.

Ummm, no. According to the HR lectures, HIPAA prevents any unauthorized disclosure of medical information.
.
Any.
.
This includes, again per HR lecture, a manager telling anyone that “Joe is out sick” without Joe’s permission.
.
So…
.
Mew

The Department of Health & Human Services disagrees. They’re pretty specific about “covered entities” with respect to HIPAA.
.
That’s not to argue that the exchanges shouldn’t be covered.
But there is an argument that they aren’t, especially after you allow lawyers into the conversation.
.
Personally, I believe the exchanges should qualify under the Health Care Clearinghouse section. But I also believe that what “shall not be infringed” means needs no interpretation, and that the 10th Amendment actually means what it says.

I speak as an unwilling but rather traveled expert here. Health plans are covered entities. So are providers. The definition of those two is arcane. The government, interestingly, is not, unless they’re acting as a health plan (and even then there are some exceptions that probably don’t apply here). The real question is WHO disclosed the data in that unholy web of electronic mayhem they call a web site, because it is in fact Protected Healthcare Information. At least THAT would seem to be clear.
.
Also remember that there are federal privacy rules that apply outside of HIPAA. And that the Privacy Rule was rewritten and greatly expanded this year. And that HR departments yell “HIPAA” even if the real reason is “because we said so.” Because in the end, like so much passed since 2009, nobody really knows what the law actually says, and we don’t have enough case law to settle any boundaries. The Congresses since 2008 should be summarily dismissed on those grounds alone, actually.

Acat, my understanding is that Navigators for HIX were granted exemption from HIPAA. They should have been covered under the Business Associates portion of the law but it didn’t happen.
.
With the way that HIPAA was written, states could put statutory measures in place at the state level that would take precedence over Federal failure to protect PHI. It would be better than nothing. And given the political nature of some of the orgs that Sebelius et. al. have allowed to become Navigators, states would be wise to do this.

Do you need to do it soon, Acat? The reason I ask is that even if you submit a paper application for enrollment, the data has to be entered into what is, for all intents and purposes, an unsecure site, in more ways than one if what I’m hearing is true. Under HIPAA Security rules, the site should have employee access to PHI limited on a NTK basis. From what I’ve heard, that particular loop of security is nonexistent at the present time. Quality of some of the individuals hired by the groups Sebelius et. al. allowed to become Navigators leaves a lot to be desired on protection of PHI, if you get my drift.

No, my corporate plan renewed right on schedule, I’m just lookin at the potential mess next year and planning accordingly.
.
For the record, if I suspect a cancellation, I’m calling my lawyer, incorporating, then calling an agent and buying a group plan.
.
Mew

Back when I was a small business owner, Lineholder, that’s exactly what I did – called my lawyer and incorporated, then called an insurance agent who was a friend of a friend (same way I found my lawyer) and picked a high deductible plan, then went to the bank and opened myself (and Mrs. Cat) an HSA account.
.
I set it up so the company paid all the premiums and called it a business expense, not sure how doing that would have worked if I’d had any employees other than me, though.
.
In short, it was a lot easier than messing with the individual market, but there are some legal issues to watch for, so do talk to your lawyer and accountant first.
.
Mew

What I don’t get is how this is even POSSIBLE. You have to work HARD to create a hole like this.
.
Speculating — they generate the letters and save them in a working directory, and sometimes the path to the directory gets exposed. Misconfigured, the server lets them see the directory contents — so they can see any letters generated and not yet cleaned up.
.
I’ve worked on systems with a similar approach — but it wasn’t sensitive information.

I’m guessing that they are either assigning unique identifiers or using SSN for unique identifiers in records created. If someone enters the wrong number sequence, and there isn’t a second or third tier screening security in place….they could get access to someone’s data this way, couldn’t they?